Re: [DNSOP] [Ext] DNSSEC Strict Mode

2021-02-24 Thread libor.peltan
Hi Ben, Dne 25. 02. 21 v 1:50 Ben Schwartz napsal(a): On Wed, Feb 24, 2021 at 6:57 PM Brian Dickson mailto:brian.peter.dick...@gmail.com>> wrote: That's not possible. The DS records are on the parent side (TLD) and the TTL is set by the TLD per whatever their standard policy i

Re: [DNSOP] [Ext] DNSSEC Strict Mode

2021-02-24 Thread Mark Andrews
> On 25 Feb 2021, at 09:13, Ben Schwartz wrote: > > > > On Wed, Feb 24, 2021 at 4:44 PM Mark Andrews wrote: > > > > On 25 Feb 2021, at 02:01, Ulrich Wisser > > wrote: > ... > > At the current state of dnssec RFC definitions it is unclear how you could > > change DNS operators securely

Re: [DNSOP] [Ext] DNSSEC Strict Mode

2021-02-24 Thread Ben Schwartz
On Wed, Feb 24, 2021 at 6:57 PM Brian Dickson wrote: > > That's not possible. The DS records are on the parent side (TLD) and the > TTL is set by the TLD per whatever their standard policy is. Same for > RRSIGs over those DS records. > That's fine. I meant the TTLs of the ZSKs and zone contents

Re: [DNSOP] [Ext] DNSSEC Strict Mode

2021-02-24 Thread Wes Hardaker
Ulrich Wisser writes: > Not only am I in favor of the RFC6840 lax validation, it is in fact > necessary for secure DNSSEC operation. I almost wrote up an ID specifically to say validation should always be lax but be much more clear about it than the current specs. I kind of like Ben's proposal,

Re: [DNSOP] [Ext] DNSSEC Strict Mode

2021-02-24 Thread Brian Dickson
On Wed, Feb 24, 2021 at 2:14 PM Ben Schwartz wrote: > > > On Wed, Feb 24, 2021 at 4:44 PM Mark Andrews wrote: > >> >> >> > On 25 Feb 2021, at 02:01, Ulrich Wisser > 40wisser...@dmarc.ietf.org> wrote: >> > ... > >> > At the current state of dnssec RFC definitions it is unclear how you >> could ch

Re: [DNSOP] [Ext] DNSSEC Strict Mode

2021-02-24 Thread Mark Andrews
> On 25 Feb 2021, at 02:01, Ulrich Wisser > wrote: > >> >> On 23 Feb 2021, at 17:49, Ben Schwartz >> wrote: >> >> >> >> On Tue, Feb 23, 2021 at 11:21 AM Samuel Weiler wrote: >> ... >> Recognizing that I'm likely biased by my history of working on the >> current "mandatory algorithm rul

Re: [DNSOP] [Ext] DNSSEC Strict Mode

2021-02-24 Thread Paul Wouters
On Wed, 24 Feb 2021, Ben Schwartz wrote: On Tue, Feb 23, 2021 at 11:05 PM Brian Dickson wrote: ... My perspective is that most zone operators will only want to deploy a single algorithm, and improving the rate at which new algorithms are feasible to be adopted should be an explici

Re: [DNSOP] [Ext] DNSSEC Strict Mode

2021-02-24 Thread Ben Schwartz
On Tue, Feb 23, 2021 at 11:05 PM Brian Dickson < brian.peter.dick...@gmail.com> wrote: ... > My perspective is that most zone operators will only want to deploy a > single algorithm, and improving the rate at which new algorithms are > feasible to be adopted should be an explicit goal. > I don't

Re: [DNSOP] [Ext] DNSSEC Strict Mode

2021-02-24 Thread libor.peltan
Hi Ulrich, please see below.. Libor Dne 24. 02. 21 v 16:01 Ulrich Wisser napsal(a): On 23 Feb 2021, at 17:49, Ben Schwartz > wrote: On Tue, Feb 23, 2021 at 11:21 AM Samuel Weiler > wrote: ... Recognizing that I'm

Re: [DNSOP] DNSSEC Strict Mode

2021-02-24 Thread Ben Schwartz
On Wed, Feb 24, 2021 at 1:32 AM Ralf Weber wrote: > Moin! > > On 23 Feb 2021, at 16:08, Ben Schwartz wrote: > > > Inspired by some recent discussions here (and at DNS-OARC), and > > hastened by > > the draft cut-off, I present for your consideration "DNSSEC Strict > > Mode": > > > https://datatra

Re: [DNSOP] [Ext] DNSSEC Strict Mode

2021-02-24 Thread Ulrich Wisser
> On 23 Feb 2021, at 17:49, Ben Schwartz > wrote: > > > > On Tue, Feb 23, 2021 at 11:21 AM Samuel Weiler > wrote: > ... > Recognizing that I'm likely biased by my history of working on the > current "mandatory algorithm rules", I don't buy the need for this > comp